CN106688220B - Method, computer system and storage device for providing access to a resource - Google Patents
Method, computer system and storage device for providing access to a resource Download PDFInfo
- Publication number
- CN106688220B CN106688220B CN201580049885.7A CN201580049885A CN106688220B CN 106688220 B CN106688220 B CN 106688220B CN 201580049885 A CN201580049885 A CN 201580049885A CN 106688220 B CN106688220 B CN 106688220B
- Authority
- CN
- China
- Prior art keywords
- compliance
- computer system
- service
- user device
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Access to one or more resources is provided to a user device. A method includes registering, at a user equipment, with an identity service to obtain an identity credential. The method also includes registering, at the user device, with the policy management service by presenting the identity credential. The method also includes providing, at the user device, an indication of a current state of the user device to a policy management service. The policy management service may then indicate the compliance level of the user device to the identity service. The method also includes the user device receiving a token from the identity service based on a policy management level of the user device compared to the policy set.
Description
Background
Handheld mobile computing devices have become ubiquitous. For example, many people have so-called smart phones or tablet computers. Such devices allow users to access a wide range of services using a cellular data system or other network system. For example, using such a device, a user may access email, the internet, online databases, and the like. People with personal smart phones (or other smart devices) may often want to use these personal devices to access corporate resources belonging to a company that employs them.
IT administrators are today able to configure, monitor and evaluate compliance of mobile devices through various policy management systems. They do so to protect corporate services and data. However, one key challenge is how to enforce management of devices by a policy management system or to enforce compliance with various policies before allowing the devices to access these resources. Some solutions that exist today require a direct connection to be established between the corporate service and the policy management system to determine whether the device is managed and compliant before allowing access to the corporate service. However, this approach is difficult to scale as more services and client applications are added.
The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is provided merely to illustrate one exemplary technology area in which some embodiments described herein may be practiced.
Disclosure of Invention
One embodiment illustrated herein includes a method that may be implemented in a computing environment. The method includes acts for providing access to one or more resources to a user device. The method includes registering at a user equipment with an identity service to obtain an identity credential. The method also includes registering, at the user device, with the policy management service by presenting the identity credential. The method also includes providing, at the user device, an indication of a current state of the user device to a policy management service. The method also includes the user device receiving a token from the identity service based on a policy management level of the user device as compared to the policy set, because the policy management service has provided an indication to the identity service of compliance with the policy set.
Another embodiment includes a method that may be practiced in a computing environment. The method includes acts for providing access to one or more resources to a user device. The method includes receiving, at an identity management service, a registration request from a user equipment for obtaining identity credentials from the identity management service. The method also includes receiving, at the identity management service, an indication from the policy management service of whether the user device complies with the one or more policies by the policy management service using information provided by the device using an identity credential for identifying the device to the identity management service. The method also includes receiving, at the identity management service, a request from the service endpoint to verify that the device complies with the one or more policies. The method also includes providing, at the identity management service, a token with an indication of a device compliance status with respect to the one or more policies to the service endpoint based on the indication from the policy management service of whether the user device complies with the one or more policies.
Another embodiment illustrated herein includes a user device for accessing a resource from a service endpoint. The user device includes a client component. The client component is configured to register with an identity service to obtain an identity credential. The client component is further configured to register with the policy management service by presenting the identity credential. The client component is further configured to provide an indication of a current state of the user device to the policy management service. The client component is further configured to receive a token response from the identity service based on the compliance level of the user device as compared to the policy set, because the policy management service has provided an indication to the identity service of compliance with the policy set. The user device also includes a client application configured to attempt to access one or more resources at the service endpoint using the token from the token response.
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
Additional features and advantages will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the teachings herein. The features and advantages of the invention may be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. Features of the present invention will become more fully apparent from the following description and appended claims, or may be learned by the practice of the invention as set forth hereinafter.
Drawings
In order to describe the manner in which the above-recited and other advantages and features can be obtained, a more particular description of the subject matter briefly described above will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. Understanding that these drawings depict only typical embodiments and are not therefore to be considered to be limiting of scope, the embodiments will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:
FIG. 1 illustrates the interaction between a user device, a service endpoint, an identity management service, and a policy management service;
FIG. 2 illustrates another example of interaction between a user device, a service endpoint, an identity management service, and a policy management service;
FIG. 3 illustrates a method of providing user equipment with access to one or more resources; and
FIG. 4 illustrates another method of providing user equipment with access to one or more resources.
Detailed Description
Some embodiments illustrated herein allow an IT administrator to allow and/or block access to services by tracking device states in a public identity management system by means of device claims. In some embodiments, this allows various service and client applications to implement conditional access without any direct connection to the policy management system, simply by utilizing the same identity management system and passing device claims.
Referring now to FIG. 1, an example topology is shown. The topology includes a client device 102. This may be, for example, a client computer, tablet, phone, or other device running an operating system capable of running applications and managed by policy management 108 (hereinafter also referred to as "policy management service 108" or "policy management system 108").
The client device 102 includes a client component 104. The client component 104 running on the client device 102 interprets, evaluates, and executes the policies sent to it by the policy management system 108.
The topology includes identity management 106 (hereinafter also referred to as "identity management service 106" or "identity management system 106"). Identity management system 106 manages the identities of users, devices, and service principals for security, authentication, and authorization purposes. In some embodiments, identity management system 106 may be an Active Directory or Azure Active Directory available from microsoft corporation of redmond, washington.
The topology includes a policy management system 108. Policy management system 108 is an interface used by IT professionals to create policies, target them to, and deploy them to identities or accounts within managed applications. In some embodiments, this may be accomplished using the Intune service or configuration Manager available from microsoft corporation of redmond, washington.
The topology includes one or more service endpoints, such as service endpoint 110. The service endpoint 110 provides services to client applications. Access to client applications should be limited to only client applications running on devices that are managed by and evaluated by the policy management system 108 as compliant, although as will be explained in more detail below, there may be some exceptions to some particular user or group of users. Examples of service endpoints are virtually limitless, but may include services such as mail services (such as Exchange available from microsoft corporation of redmond, washington), data sharing and document management services (such as SharePoint available from microsoft corporation of redmond, washington), time entry and attendance management services, corporate intranets, and the like.
Client device 102 may also include one or more client applications, such as client application 112. This may be, For example, a mail client (such as MobileOuthook Web Access available from Microsoft corporation of Redmond, Washington) or other client application running on the client device 102 (such as Onedrive For Business available from Microsoft corporation of Redmond, Washington), and so on.
An example workflow is shown below. An IT administrator sets a conditional access policy within a service endpoint 110 or identity management 106 to require that access be restricted to client applications 112 running on devices 102 that are managed and conform to the policy. Users and devices not targeted by the policy are not subject to conditional access, nor are clients without the policy management system 108.
An IT administrator creates one or more compliance policies for particular users, groups of users, devices, etc. Compliance policies are created and deployed to the policy management service 108.
In one example, a user attempts to connect a service endpoint 110 from a client application 112 on an unmanaged device 102. After the user authenticates to the identity management system 106, the client application 112 receives the token 114 from the identity management system 106 and passes it to the service endpoint 110. The service endpoint 110 checks the token for a claim that the client device 102 is managed. Client application 112 fails to authenticate because the claim does not exist.
The user is redirected by the service endpoint 110 to the policy management system 108, and the policy management system 108 guides the user through the process of registering the client device 102 for management. The policy management system 108 deploys any targeted compliance policies 116 to the client device 102. For example, the targeted compliance policy 116 may deploy a policy to the device 102 such that the device 102 will comply with the policy for accessing the service endpoint 110. In some embodiments, this may cause device 102 to automatically set the state of device 102 to comply with the policy. In other embodiments, the target compliance policy 116 may be presented to the user so that the user may manually make changes to the device 102.
Alternatively, in addition to guiding the user through the registration process, policy management system 108 may indicate what the user needs to change regarding the state of device 102 to comply with the policy for using endpoint 110. However, in some embodiments, this may not be performed, or may be performed at a later time.
In some embodiments, the compliance policy 116 may simply request the various states from the client device 102, rather than forcing the client state. The request may include a comprehensive list that includes states of interest to the policy set at the policy management system 108 and states of little or no interest to the policy set at the policy management system 108. Alternatively, the request may simply be a request for information about the state of interest. The request may request confirmation that a certain state exists at the client device 102 that is of interest for the policy set at the policy management system 108. Alternatively or additionally, the request may simply request the status of the client device 102, which may then be used later to determine whether the device is in a compliance state for use with the service endpoint 110. For example, a policy set at policy management system 108 may require that any device using service endpoint 110 have a password of a certain length. The request in the compliance policy 116 may request an indication of password protection on the device 102. The device 102 may return an indication that a 4 character personal identification code is being used on the device 102. Policy management system 108 may then determine whether the device is within policy constraints.
The client component 104 interprets and processes the policy 116, which in this example is a compliance policy, and returns the results 118 of the processing to the policy management system 108. Policy management system 108 aggregates results 118 and sets compliance status settings 120 in identity management system 106. The settings 120 may indicate whether the device complies with a policy for accessing the service endpoint 110. Alternatively, policy management system 108 may not set any state in identity management system 106 if device 102 does not comply with the policy for accessing service endpoint 110. Thus, for example, the policy management system may set a state in the identity management system 106 in which the device 102 has a state that is in compliance with a compliance policy, a state in which the device 102 has a state that is not in compliance with other compliance policies, or no state at all in the identity management system 106. In some embodiments, policy management system 108 may simply indicate the level of security in identity management system 106. The security level may indicate the level of encryption, the strength of the password on the device, whether the device 102 is compromised, and/or other information about the state of the device.
The identity management system 106 may then reissue the token 114, but this time the token 114 will include a device claim indicating that the device 102 is compliant (when the device 102 is in fact compliant) or a device claim indicating a level of compliance. This is based on policy management system 108 indicating compliance in one or more settings in identity management system 106. Alternatively, the token may indicate non-compliance if the device 102 is still not compliant with the policy for accessing the service endpoint 110. This may be accomplished by generally indicating that the device 102 is non-compliant, by not including a declaration that the device 102 is compliant, by indicating why the device 102 is not compliant, and so forth
The user attempts to connect to the service endpoint 110 from the client application 112. This time, the token 114 issued by the identity management system contains a claim indicating that the client device 102 is managed and whether it is compliant.
If the client device 102 is compliant, the service endpoint provides the requested service. If the client device 102 is not compliant, the user is directed to information regarding compliance violations and how to remedy them. For example, in some embodiments, the user may again be directed to policy management system 108, and policy management system 108 may identify areas that are non-compliant and remedial actions that may be taken. Alternatively, there may be sufficient information in token 114 to enable device 102 to indicate to the user why device 102 is not compliant. In yet another alternative embodiment, the identity management system 106 may be able to obtain information from the policy management system 108 that may be communicated to the device 102.
A further alternative flow is shown below with reference to fig. 2. An IT administrator sets a conditional access policy within the identity management system 106 to require that access be restricted to client applications running on managed and compliant devices. An IT administrator sets compliance policies within the policy management system 108 that specify that any device using the service endpoint 110 should comply with the policies. For example, the policy may specify that the device 102 should be protected and encrypted.
The device 102 registers the device state with the policy management system 108. The policy management system 108 sets policy compliance state settings 120 in the identity management system 106. Device 102 attempts to access a resource from service endpoint 110. The service endpoint 110 makes authentication decisions by querying device management and compliance status directly from the identity management system 106, rather than receiving them from the device 102 itself.
In light of the foregoing, various characteristics may be exhibited by one or more elements of the topology. In some embodiments, as described above, policy management system 108 can write a state, such as device 102 state, into identity management system 106. This may even be performed when policy management system 108 and identity management system 106 are managed and/or owned by different entities. For example, in some embodiments, policy management system 108 may be capable of writing a state into identity management system 106 that indicates whether client device 102 is managed by policy management system 108. Alternatively or additionally, in some embodiments, policy management system 108 can summarize compliance for one or more policies and write the summarized state to identity management system 106. Alternatively or additionally, in some embodiments, the policy management system 106 can set access control rules within the identity management system 106 based on the managed and compliance status of the client device 102. In some embodiments, the policy management system 108 is configured to report the status of compliance rules that contribute to the summarized compliance status. Thus, the policy management system may identify a particular state that results in device 102 being non-compliant or a particular state that results in device compliance. This information may be reported to the device 102 itself, the identity management system 106, or other appropriate entity of interest.
For example, in some embodiments, the policy management service 108 can provide an interface to redirect the client device 102 to participate in the registration process. For example, the policy management service 108 may be capable of directing the device 102 to the identity management system 106 to cause the device 102 to register with the identity management system 106.
Alternatively or additionally, embodiments may be implemented in which the policy management system 108 provides an interface that redirects the client device 102 to policy compliance violations and remediation information. For example, the policy management system 108 may redirect the device 102 to the identity management system 106 or another system that may identify to the client what policies the device 102 does not comply with and how the device changes to bring the device 102 into compliance.
Embodiments may be implemented in which the identity management system 106 includes functionality for storing information about policy compliance of client devices and performing actions based on the policy compliance of client devices. For example, embodiments may be implemented in which identity management system 106 is able to track a state indicating that a device is managed by a policy management system. Alternatively or additionally, embodiments may be implemented wherein the identity management system 106 includes functionality for tracking the following states: this state indicates that the device 102 is compliant with a policy that has been evaluated by the policy management system 108. Alternatively or additionally, embodiments may be implemented wherein identity management system 106 includes functionality for issuing device claims (such as in tokens) having a state representative of a managed state and/or a compliance state. Alternatively or additionally, embodiments may be implemented wherein the identity management system 106 includes functionality for enforcing access policies based on the device managed state and/or compliance state.
In some embodiments, the schema may be used to track device management status and device compliance status in the identity management service 106. This mode may be used when constructing a message to identify message type, compliance status, managed status, or other factors of interest.
The following discussion now refers to various methods and method acts that may be performed. Although method acts may be discussed in a certain order or illustrated in a flowchart as occurring in a particular order, no particular ordering is required unless specifically stated or otherwise required as the acts depend on another act being completed before the act being performed.
Referring now to FIG. 3, a method 300 is shown. The method 300 may be practiced in a computing environment. Method 300 includes acts for providing user equipment with access to one or more resources. One embodiment of a method 300 is illustrated in the description shown in FIG. 1. For example, user device 102 may attempt to access a resource at service endpoint 110.
The method 300 includes registering, at the user device, with an identity service to obtain an identity credential (act 302). For example, the user device 102 may register with the identity management service 106 to obtain identity credentials. The identity credential may be used to identify the device 102.
The method 300 further includes registering with the policy management service at the user device by presenting the identity credential (act 304). Thus, for example, identity credentials obtained from the identity management service 106 may be presented to the policy management service 108.
The method 300 further includes providing, at the user device, an indication of a current state of the user device to a policy management service (act 306). Thus, for example, the user device 102 may indicate the status of the device 102 to the policy management service 108. Such status may be used to determine whether the device 102 complies with certain management policies.
The method 300 further includes the user device receiving a token from the identity service based on a policy management level of the user device as compared to the policy set (act 308). This can be performed because the policy management service has provided an indication of compliance with the management policy to the identity service through the use of an identity credential that associates compliance with the device in the identity service.
The method 300 may also include receiving, from the identity service, a token with a claim that may be used to access a resource at the service endpoint when the state conforms to a set of policies defined at the policy management service. Thus, for example, the device 102 may receive the token 114 from the identity management service 106. The device may then use token 114 to obtain resources from service endpoint 110.
The method 300 may be practiced where receiving a token based on a compliance level of a user device as compared to a set of policies includes receiving a token with a claim identifying a compliance status of the user device. For example, the compliance status may be identified as compliant, non-compliant, compliant with certain policies, the original state of the device, a level of state where a higher level has higher security, and so forth.
The method 300 may be practiced where receiving a token based on a compliance level of the user device as compared to the policy set includes receiving a token that does not include a compliance declaration because the user device has a status that does not comply with the policy set.
The method 300 may also include the user device presenting the token to the service endpoint to attempt to access the resource at the service endpoint. Thus, for example, user device 102 may present token 114 to service endpoint 110 in an attempt to access a resource at service endpoint 110.
The method 300 may be practiced where the token indicates that the user device is managed by a policy management service. Thus, for example, token 114 may include a claim in the token indicating that user device 102 is managed by identity management service 106.
The method 300 may be practiced where compliance is assessed at a policy management service based on at least one of a user state, a group state, a role state, an IP address, or a platform type (i.e., the type of operating system running on the device). Thus, for example, the policy management service 108 may make compliance decisions based on external factors. For example, if it can be determined that the user of the device 102 is the CEO of a company, the policy management service 108 can always indicate to the identity management service 106 that the device 102 is compliant regardless of the state of the device. Alternatively, in this case, a more relaxed criterion may be used to determine whether the device 102 is compliant. Thus, compliance can be based on the identity of the user, the group to which the user belongs (e.g., administrative group), the role (e.g., CEO), and so forth. In another embodiment, if a device 102 is communicating using an ip address that indicates that the device is on a network that is considered secure by the policy management service, the device may be indicated by the policy management service 108 as compliant to the identity management service 106 even if the device does not comply with certain policy-specified status conditions. With respect to platform type, an example may be that there are exempt rules that always block (or allow) devices with some operating system on them.
The method 300 may be practiced where compliance statements that allow access to resources at the service endpoint are issued based on a token issuance policy. Thus, similar to the example shown above, identity management service 106 itself can determine whether to issue a claim in token 114 based on factors such as user identity, user groups, user role, and/or various other external factors. Thus, for example, the policy management service 108 may have indicated to the identity management service 106 that the device 102 is not compliant. However, the identity management service 106 may determine that the device 102 belongs to the CEO of the company, and thus may nevertheless issue a claim in the token 114 that allows the device 102 to access resources at the service endpoint 110. In some embodiments, members of certain user groups will be provided with statements in tokens to allow them to gain access to resources. In some embodiments, this may be independent of the compliance level. Alternatively, it may have reduced compliance level requirements compared to other user groups. Alternatively or additionally, claims may be provided in the token based on certain external factors. For example, on some embodiments, the device 102 may not be compliant but within a trusted IP address range. In some embodiments, this may be sufficient for the identity management service 106 to issue a token to the device.
In some embodiments, the method 300 may be performed wherein the issued token includes an expired compliance statement. Compliance statements may be issued according to a compliance state freshness standard. This can be done to balance scalability and security. In particular, checking compliance with each access of the device 102 to the service endpoint 110 would require a significant amount of resources. By checking compliance at some periodic rate, less resources may be required. However, there is a possibility that non-compliant devices may be able to access resources at the service endpoint 110.
The method 300 may be practiced where the identity service determines that the user device is not compliant and initiates remediation. For example, in some embodiments, the remediation may include redirecting the device 102 to the policy management service 108, where the policy management service 108 may direct the user to perform an action to bring the device 102 into compliance. Alternatively, the policy management service may provide a state or script that may be applied at the device 102 to bring the device 102 into compliance. In an alternative embodiment, the identity management service 106 may have information that allows the identity management service 106 to directly facilitate remediation. For example, the identity management service 106 may obtain information from the policy management service 108 and may then instruct the user of the device 102 what to do to bring the device 102 into compliance or provide the device 102 with a status or script to bring the device 102 into compliance.
Referring now to FIG. 4, a method 400 is shown. The method 400 may be practiced in a computing environment. Method 400 includes acts for providing user equipment with access to one or more resources. An example of the method 400 is shown in FIG. 2 above.
The method 400 includes, at an identity management service, receiving a registration request from a user device for obtaining identity credentials from the identity management service (act 402). Thus, for example, the identity management service 106 can receive a request for identity credentials from the user device 102.
The method 400 also includes, at the identity management service, receiving, from the policy management service, an indication by the policy management service of whether the user device complies with the one or more policies, using information provided by the device using the identity credential for identifying the device to the identity management service (act 404). For example, the device 102 may present the identity credential to the policy management service 108. Policy management service 108 may determine that the device complies with certain policies. Policy management service 108 may then provide an indication to identity management service 106 that device 102 complies with the policy.
The method 400 also includes, at the identity management service, receiving a request from a service endpoint to verify that the device complies with the one or more policies (act 406). For example, device 102 may request resources from service endpoint 110. Service endpoint 110 may query identity management service 106 directly for token 114, token 114 including a device claim for device 102 indicating that device 102 complies with certain policies.
The method 400 further includes, at the identity management service, providing, to the service endpoint, a token with an indication of device compliance status with respect to the one or more policies based on the indication from the policy management service of whether the user device complies with the one or more policies (act 408). The identity management service 106 may provide the token 114 with the compliance claims directly to the service endpoint 110, and the service endpoint 110 may then provide the resource to the device 102 based on the token 114 and the compliance claims.
The method 400 may also include, when the state conforms to a set of policies defined at the policy management service, the identity service providing a token with a claim indicating that the device conforms to the one or more policies.
The method 400 may be practiced where the token includes a statement indicating a level of compliance of the user device with respect to the policy.
The method 400 may be practiced where the token does not include a compliance statement because the user device has a state that does not comply with the policy.
The method 400 may be implemented where the token indicates that the user device is managed by a policy management service.
The method 400 may be practiced where compliance statements that allow access to resources at the service endpoint are issued based on a token issuance policy.
The method 400 may be practiced where the issued token includes an expired compliance statement.
The method 400 may be implemented where the identity service determines that the user device is not compliant and initiates remediation.
Additionally, the method may be implemented by a computer system including one or more processors and a computer-readable medium, such as computer memory. In particular, the computer memory may store computer-executable instructions that, when executed by the one or more processors, result in performing various functions, such as the acts described in the embodiments.
As discussed in more detail below, embodiments of the present invention may comprise or utilize a special purpose or general-purpose computer including computer hardware. Embodiments within the scope of the present invention also include physical and other computer-readable media for carrying or storing computer-executable instructions and/or data structures. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer system. The computer-readable medium storing the computer-executable instructions is a physical storage medium. Computer-readable media carrying computer-executable instructions are transmission media. Thus, by way of example, and not limitation, embodiments of the invention can include at least two distinct categories of computer-readable media: physical computer-readable storage media and transmission computer-readable media.
Physical computer-readable storage media include RAM, ROM, EEPROM, CD-ROM or other optical disk storage (such as CDs, DVDs, etc.), magnetic disk storage or other magnetic storage devices, solid state memory devices, etc., which can be used to store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer.
A "network" is defined as one or more data links that enable the transfer of electronic data between computer systems and/or modules and/or other electronic devices. When information is transferred or provided over a network or another communications connection (either hardwired, wireless, or a combination of hardwired or wireless) to a computer, the computer properly views the connection as a transmission medium. Transmission media can include a network and/or data links which can be used to carry desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. Combinations of the above are also included within the scope of computer-readable media.
Further, upon reaching various computer system components, program code means in the form of computer-executable instructions or data structures can be transferred automatically from transmission computer readable media to physical computer readable storage media (and vice versa). For example, computer-executable instructions or data structures received over a network or a data link may be buffered in RAM within a network interface module (e.g., a "NIC"), and then eventually transferred to computer system RAM and/or to less volatile computer-readable physical storage media at a computer system. Thus, a computer-readable physical storage medium may be included in a computer system component that also (or even primarily) utilizes transmission media.
Computer-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. The computer-executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, or even source code. Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the described features or acts described above. Rather, the described features and acts are disclosed as example forms of implementing the claims.
Those skilled in the art will appreciate that the invention may be practiced in network computing environments with many types of computer system configurations, including, personal computers, desktop computers, laptop computers, message processors, hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, mobile telephones, PDAs, pagers, routers, switches, and the like. The invention may also be practiced in distributed system environments where local and remote computer systems, which are linked (either by hardwired data links, wireless data links, or by a combination of hardwired and wireless data links) through a network, both perform tasks. In a distributed system environment, program modules may be located in both local and remote memory storage devices.
Alternatively or additionally, the functionality described herein may be performed, at least in part, by one or more hardware logic components. By way of example, and not limitation, illustrative types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
The present invention may be embodied in other specific forms without departing from its spirit or characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.
Claims (20)
1. In a computing environment, a method of providing user equipment access to one or more resources, the method comprising:
at a user device, registering with an identity service to obtain an identity credential that omits a claim that the user device is a managed device;
the user device sending the identity credential to a service endpoint, at which it is determined that the identity credential omits the claim that the user device is a managed device;
at the user device, registering with a policy management service at least by presenting the identity credential to the policy management service, the user device registering with the policy management service in response to the user device being redirected from the service endpoint to the policy management service, the user device being redirected to the policy management service in response to the user device presenting the identity credential to the service endpoint that is determined to omit the claim that the user device is a managed device;
receiving, at the user device, a compliance policy list corresponding to compliance policies required for a managed device, the compliance policy list identifying one or more items of interest including at least (a) one or more changes to be made at the user device for the user device to comply with the compliance policies, or (b) one or more states of the user device required for compliance;
at the user equipment, performing at least one of: providing a notification to the policy management service, the notification indicating (a) the one or more states of the user device required for compliance, or (b) the user device taking a remedial action, the remedial action including the one or more changes required for the user device compliance, wherein the notification triggers transmission of a compliance state setting to the identity service;
receiving, at the user device, a token from the identity service, the token indicating a compliance state of the user device and a claim that the user device is a managed device, the token receiving the compliance state settings from the policy management service based on the identity service; and
the user device transmits the token with the claim that the user device is a managed device to the service endpoint.
2. The method of claim 1, further comprising:
providing information about a compliance violation to a user of the user device and information about how to remedy the compliance violation.
3. The method of claim 1, wherein the token further comprises a compliance level.
4. The method of claim 1, wherein the compliance policy list includes a requirement that a password of the user device have a certain length.
5. The method of claim 1, wherein the compliance policy list includes a requirement that the user device require a character personal identification code being used on the user device.
6. The method of claim 1, wherein the policy management service indicates a security level of the user device, the security level indicating at least one of an encryption level, a password strength, or a hacking status of the user device.
7. The method of claim 1, wherein the compliance policy list includes one of a user state, a group state, a role state, an IP address, or a platform state.
8. The method of claim 1, wherein the compliance statement that allows access to the resource at the service endpoint is issued based on a token issuance policy.
9. The method of claim 1, wherein the token further comprises an expired compliance statement.
10. The method of claim 1, wherein the remedial action comprises redirecting the user device to the policy management service, wherein the policy management service then directs a user of the user device to perform an action to place the user device in a compliance state.
11. A computer system, comprising:
one or more hardware processors; and
one or more computer-readable hardware storage devices having stored thereon computer-executable instructions executable by the one or more hardware processors to cause the computer system to provide access to one or more computing resources, and further to cause the computer system to perform:
registering with an identity service to obtain an identity credential that omits a claim that the computer system is a managed system;
sending the identity credential to a service endpoint, at which it is determined that the identity credential omits the claim that the computer system is a managed system;
in response to the computer system being redirected from the service endpoint to a policy management service, registering with the policy management service at least by presenting the identity credential to the policy management service, the computer system being redirected to the policy management service in response to the computer system presenting the identity credential to the service endpoint that is determined to omit the claim that the computer system is a managed system;
receiving a compliance policy list corresponding to compliance policies required for a managed system, the compliance policy list identifying one or more items of interest including at least (a) one or more changes to be made at the computer system for the computer system to comply with the compliance policy, or (b) one or more states of the computer system required for compliance;
performing at least one of: providing a notification to the policy management service, the notification indicating (a) the one or more states of the computer system required for compliance, or (b) the computer system taking a remedial action, the remedial action including the one or more changes required for the computing system compliance, wherein the notification triggers transmission of a compliance state setting to the identity service;
receiving a token from the identity service, the token indicating a compliance state of the computer system and a claim that the computer system is a managed system, the token receiving the compliance state settings from the policy management service based on the identity service; and
transmitting the token with the claim that the computer system is a managed system to the service endpoint.
12. The computer system of claim 11, wherein the computer-executable instructions further cause the computer system to provide information to a user of the computer system regarding compliance violations and information regarding how to remedy the compliance violations.
13. The computer system of claim 11, wherein the token further comprises a compliance level.
14. The computer system of claim 11, wherein the compliance policy list includes a requirement that a password of the computer system have a length.
15. The computer system of claim 11, wherein the compliance policy list includes requirements that the computer system requires a character personal identification code that is being used on the computer system.
16. The computer system of claim 11, wherein the policy management service indicates a security level of the computer system, the security level indicating at least one of an encryption level, a password strength, or a hacking state of the computer system.
17. The computer system of claim 11, wherein the compliance policy list includes one of a user status, a group status, a role status, an IP address, or a platform status.
18. The computer system of claim 11, wherein the token further comprises an expired compliance statement.
19. The computer system of claim 11, wherein the remedial action comprises redirecting the computer system to the policy management service, wherein the policy management service then directs a user of the computer system to perform an action to place the computer system in a compliance state.
20. One or more hardware storage devices having stored thereon computer-executable instructions executable by one or more hardware processors of a computer system to cause the computer system to provide access to one or more computing resources by causing the computer system to at least:
registering with an identity service to obtain an identity credential that omits a claim that the computer system is a managed system;
sending the identity credential to a service endpoint, at which it is determined that the identity credential omits the claim that the computer system is a managed system;
in response to the computer system being redirected from the service endpoint to a policy management service, registering with the policy management service at least by presenting the identity credential to the policy management service, the computer system being redirected to the policy management service in response to the computer system presenting the identity credential to the service endpoint that is determined to omit the claim that the computer system is a managed system;
receiving a compliance policy list corresponding to compliance policies required for a managed system, the compliance policy list identifying one or more items of interest including at least (a) one or more changes to be made at the computer system for the computer system to comply with the compliance policy, or (b) one or more states of the computer system required for compliance;
performing at least one of: providing a notification to the policy management service, the notification indicating (a) the one or more states of the computer system required for compliance, or (b) the computer system taking a remedial action, the remedial action including the one or more changes required for the computing system compliance, wherein the notification triggers transmission of a compliance state setting to the identity service;
receiving a token from the identity service, the token indicating a compliance state of the computer system and a claim that the computer system is a managed system, the token receiving the compliance state settings from the policy management service based on the identity service; and
transmitting the token with the claim that the computer system is a managed system to the service endpoint.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US14/491,819 | 2014-09-19 | ||
| US14/491,819 US9444848B2 (en) | 2014-09-19 | 2014-09-19 | Conditional access to services based on device claims |
| PCT/US2015/050540 WO2016044500A1 (en) | 2014-09-19 | 2015-09-17 | Conditional access to services based on device claims |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106688220A CN106688220A (en) | 2017-05-17 |
| CN106688220B true CN106688220B (en) | 2020-03-31 |
Family
ID=54337342
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201580049885.7A Active CN106688220B (en) | 2014-09-19 | 2015-09-17 | Method, computer system and storage device for providing access to a resource |
Country Status (4)
| Country | Link |
|---|---|
| US (1) | US9444848B2 (en) |
| EP (1) | EP3195174B1 (en) |
| CN (1) | CN106688220B (en) |
| WO (1) | WO2016044500A1 (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9756047B1 (en) | 2013-10-17 | 2017-09-05 | Mobile Iron, Inc. | Embedding security posture in network traffic |
| US9444848B2 (en) * | 2014-09-19 | 2016-09-13 | Microsoft Technology Licensing, Llc | Conditional access to services based on device claims |
| WO2018005143A1 (en) | 2016-06-29 | 2018-01-04 | Duo Security, Inc. | Systems and methods for endpoint management classification |
| US10326671B2 (en) * | 2016-10-18 | 2019-06-18 | Airwatch Llc | Federated mobile device management |
| US10785227B2 (en) * | 2017-01-04 | 2020-09-22 | International Business Machines Corporation | Implementing data security within a synchronization and sharing environment |
| US11316897B2 (en) * | 2017-05-19 | 2022-04-26 | Vmware, Inc. | Applying device policies using a management token |
| US10097490B1 (en) * | 2017-09-01 | 2018-10-09 | Global Tel*Link Corporation | Secure forum facilitator in controlled environment |
| US11328115B2 (en) * | 2018-05-10 | 2022-05-10 | Microsoft Technology Licensing, Llc. | Self-asserted claims provider |
| US10867044B2 (en) * | 2018-05-30 | 2020-12-15 | AppOmni, Inc. | Automatic computer system change monitoring and security gap detection system |
| US10826771B2 (en) * | 2018-09-28 | 2020-11-03 | Cisco Technology, Inc. | State identity vector for system self awareness |
| US11563733B2 (en) | 2020-02-26 | 2023-01-24 | Microsoft Technology Licensing, Llc. | Security token validation using partial policy validations |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425903A (en) * | 2008-07-16 | 2009-05-06 | 冯振周 | Trusted network architecture based on identity |
| CN101682509A (en) * | 2007-05-15 | 2010-03-24 | 微软公司 | Use biologicall test to represent to come identity tokens |
Family Cites Families (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5544322A (en) * | 1994-05-09 | 1996-08-06 | International Business Machines Corporation | System and method for policy-based inter-realm authentication within a distributed processing system |
| US7801964B2 (en) | 2003-02-14 | 2010-09-21 | Whale Communications Ltd. | System and method for providing conditional access to server-based applications from remote access devices |
| US7437441B1 (en) * | 2003-02-28 | 2008-10-14 | Microsoft Corporation | Using deltas for efficient policy distribution |
| US10275723B2 (en) * | 2005-09-14 | 2019-04-30 | Oracle International Corporation | Policy enforcement via attestations |
| US7590705B2 (en) * | 2004-02-23 | 2009-09-15 | Microsoft Corporation | Profile and consent accrual |
| US7194763B2 (en) * | 2004-08-02 | 2007-03-20 | Cisco Technology, Inc. | Method and apparatus for determining authentication capabilities |
| WO2006065973A2 (en) * | 2004-12-15 | 2006-06-22 | Exostar Corporation | Enabling trust in a federated collaboration of networks |
| US10764264B2 (en) * | 2005-07-11 | 2020-09-01 | Avaya Inc. | Technique for authenticating network users |
| US7827545B2 (en) | 2005-12-15 | 2010-11-02 | Microsoft Corporation | Dynamic remediation of a client computer seeking access to a network with a quarantine enforcement policy |
| US20070150934A1 (en) * | 2005-12-22 | 2007-06-28 | Nortel Networks Ltd. | Dynamic Network Identity and Policy management |
| US7739744B2 (en) * | 2006-03-31 | 2010-06-15 | Novell, Inc. | Methods and systems for multifactor authentication |
| US8689296B2 (en) * | 2007-01-26 | 2014-04-01 | Microsoft Corporation | Remote access of digital identities |
| US8352743B2 (en) * | 2007-02-07 | 2013-01-08 | Nippon Telegraph And Telephone Corporation | Client device, key device, service providing apparatus, user authentication system, user authentication method, program, and recording medium |
| US8087060B2 (en) * | 2007-03-16 | 2011-12-27 | James Mark Norman | Chaining information card selectors |
| US20090086740A1 (en) * | 2007-10-01 | 2009-04-02 | General Instrument Corporation | Customer Premises Gateway providing User Devices with Access to Internet Protocol Multimedia Subsystem (IMS) Services and Non-IMS Services |
| US8418238B2 (en) | 2008-03-30 | 2013-04-09 | Symplified, Inc. | System, method, and apparatus for managing access to resources across a network |
| US8850548B2 (en) * | 2008-05-27 | 2014-09-30 | Open Invention Network, Llc | User-portable device and method of use in a user-centric identity management system |
| CN102422298A (en) | 2009-05-08 | 2012-04-18 | 惠普开发有限公司 | Access control of distributed computing resources system and method |
| US8806566B2 (en) * | 2009-11-19 | 2014-08-12 | Novell, Inc. | Identity and policy enforced inter-cloud and intra-cloud channel |
| US20110126197A1 (en) * | 2009-11-25 | 2011-05-26 | Novell, Inc. | System and method for controlling cloud and virtualized data centers in an intelligent workload management system |
| US8474009B2 (en) * | 2010-05-26 | 2013-06-25 | Novell, Inc. | Dynamic service access |
| US20120331518A1 (en) * | 2011-06-23 | 2012-12-27 | Salesforce.Com, Inc. | Flexible security token framework |
| US9965614B2 (en) * | 2011-09-29 | 2018-05-08 | Oracle International Corporation | Mobile application, resource management advice |
| US8881229B2 (en) * | 2011-10-11 | 2014-11-04 | Citrix Systems, Inc. | Policy-based application management |
| US8832840B2 (en) * | 2011-10-26 | 2014-09-09 | Verizon Patent And Licensing Inc. | Mobile application security and management service |
| US8682802B1 (en) * | 2011-11-09 | 2014-03-25 | Amazon Technologies, Inc. | Mobile payments using payment tokens |
| US9654574B2 (en) * | 2011-12-23 | 2017-05-16 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and apparatuses for determining a user identity token for identifying user of a communication network |
| TW201345217A (en) * | 2012-01-20 | 2013-11-01 | Interdigital Patent Holdings | Identity management with local functionality |
| US8713633B2 (en) * | 2012-07-13 | 2014-04-29 | Sophos Limited | Security access protection for user data stored in a cloud computing facility |
| US8745755B2 (en) * | 2012-10-12 | 2014-06-03 | Citrix Systems, Inc. | Controlling device access to enterprise resources in an orchestration framework for connected devices |
| US9363241B2 (en) * | 2012-10-31 | 2016-06-07 | Intel Corporation | Cryptographic enforcement based on mutual attestation for cloud services |
| US9218145B2 (en) * | 2013-01-30 | 2015-12-22 | Hewlett-Packard Development Company, L.P. | Print job management |
| US9027114B2 (en) * | 2013-03-12 | 2015-05-05 | Cisco Technology, Inc. | Changing group member reachability information |
| US20130254889A1 (en) * | 2013-03-29 | 2013-09-26 | Sky Socket, Llc | Server-Side Restricted Software Compliance |
| US9270709B2 (en) * | 2013-07-05 | 2016-02-23 | Cisco Technology, Inc. | Integrated signaling between mobile data networks and enterprise networks |
| US9998438B2 (en) * | 2013-10-23 | 2018-06-12 | Microsoft Technology Licensing, Llc | Verifying the security of a remote server |
| US9407615B2 (en) * | 2013-11-11 | 2016-08-02 | Amazon Technologies, Inc. | Single set of credentials for accessing multiple computing resource services |
| US9444848B2 (en) * | 2014-09-19 | 2016-09-13 | Microsoft Technology Licensing, Llc | Conditional access to services based on device claims |
-
2014
- 2014-09-19 US US14/491,819 patent/US9444848B2/en active Active
-
2015
- 2015-09-17 CN CN201580049885.7A patent/CN106688220B/en active Active
- 2015-09-17 WO PCT/US2015/050540 patent/WO2016044500A1/en active Application Filing
- 2015-09-17 EP EP15782108.3A patent/EP3195174B1/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101682509A (en) * | 2007-05-15 | 2010-03-24 | 微软公司 | Use biologicall test to represent to come identity tokens |
| CN101425903A (en) * | 2008-07-16 | 2009-05-06 | 冯振周 | Trusted network architecture based on identity |
Also Published As
| Publication number | Publication date |
|---|---|
| US9444848B2 (en) | 2016-09-13 |
| EP3195174B1 (en) | 2018-08-22 |
| US20160088017A1 (en) | 2016-03-24 |
| EP3195174A1 (en) | 2017-07-26 |
| WO2016044500A1 (en) | 2016-03-24 |
| CN106688220A (en) | 2017-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106688220B (en) | Method, computer system and storage device for providing access to a resource | |
| US10958662B1 (en) | Access proxy platform | |
| US11134058B1 (en) | Network traffic inspection | |
| AU2017219140B2 (en) | Methods and systems for distributing cryptographic data to authenticated recipients | |
| US11457040B1 (en) | Reverse TCP/IP stack | |
| US8024786B2 (en) | System and methods for secure service oriented architectures | |
| CN102047262B (en) | Authentication for distributed secure content management system | |
| TWI432000B (en) | Provisioning of digital identity representations | |
| TWI438642B (en) | Provisioning of digital identity representations | |
| US8752152B2 (en) | Federated authentication for mailbox replication | |
| US20070143408A1 (en) | Enterprise to enterprise instant messaging | |
| US9584501B2 (en) | Resource protection on un-trusted devices | |
| EP2795522B1 (en) | Techniques to store secret information for global data centers | |
| Jana et al. | Management of identity and credentials in mobile cloud environment | |
| CN116325654B (en) | Tenant aware mutual TLS authentication | |
| Yamada et al. | Access control for security and privacy in ubiquitous computing environments | |
| En-Nasry et al. | Towards an open framework for mobile digital identity management through strong authentication methods | |
| Madan et al. | Securely adopting mobile technology innovations for your enterprise using ibm security solutions | |
| Duan et al. | IDentiaTM-an identity bridge integrating openID and SAML for enhanced identity trust and user access control | |
| Donald et al. | Securing Data with Authentication in Mobile Cloud Environment: Methods, Models and Issues | |
| Trias et al. | Enterprise level security | |
| US20240154967A1 (en) | Techniques for unifying multiple identity clouds | |
| KR102202109B1 (en) | Questionnaire security system and method by multi-authorization | |
| Olesen et al. | Accessing and disclosing protected resources: A user-centric view | |
| Kelley et al. | Security, Privacy, and Authorization for Mobile Services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |